feat: add allowedUnsafeExecutions for ./gradlew
#39945
Open
+152
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We recently introduced the ability for self-hosted administrators to control execution of possibly unsafe commands with `allowedUnsafeExecutions`. An existing attack vector of Gradle Wrapper commands being executed (i.e. for Verification Metadata or lockfile updates) needs to be retrofit into `allowedUnsafeExecutions` as part of #39657. This will be kept on-by-default until the next breaking change, after which self-hosted administrators will be able to opt-in to enabling this functionality is required.
jamietanna
commented
Dec 12, 2025
Comment on lines
+80
to
+86
| if (!isGradleExecutionAllowed(cmd)) { | ||
| logger.trace( | ||
| 'Not allowed to execute gradle due to allowedUnsafeExecutions - aborting update', | ||
| ); | ||
| return subprojects; | ||
| } | ||
|
|
Contributor
Author
There was a problem hiding this comment.
Coverage checks aren't happy here - we don't currently test this directly (as it's not exported) and right now it's not called unless isGradleExecutionAllowed === true
But I didn't want to leave it "at risk" of not having it set
jamietanna
commented
Dec 12, 2025
| import os from 'node:os'; | ||
| import upath from 'upath'; | ||
| import { mockDeep } from 'vitest-mock-extended'; | ||
| import { globalConfig } from 'zod/v4/core'; |
Contributor
Author
There was a problem hiding this comment.
Suggested change
| import { globalConfig } from 'zod/v4/core'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
We recently introduced the ability for self-hosted administrators to
control execution of possibly unsafe commands with
allowedUnsafeExecutions.An existing attack vector of Gradle Wrapper commands being executed
(i.e. for Verification Metadata or lockfile updates) needs to be
retrofit into
allowedUnsafeExecutionsas part of #39657.This will be kept on-by-default until the next breaking change, after
which self-hosted administrators will be able to opt-in to enabling this
functionality is required.
Context
Please select one of the following:
allowedUnsafeExecutionfor./gradlew#39657AI assistance disclosure
Did you use AI tools to create any part of this pull request?
Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via:
Warning
TODO
The public repository: